dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile

semgrep

Author

unknown

Download Count*

License

Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: no-sudo-in-dockerfile
    patterns:
      - pattern: |
          RUN sudo ...
    message: Avoid using sudo in Dockerfiles. Running processes as a non-root user
      can help  reduce the potential impact of configuration errors and security
      vulnerabilities.
    metadata:
      category: security
      technology:
        - dockerfile
      cwe:
        - "CWE-250: Execution with Unnecessary Privileges"
      owasp:
        - A05:2021 - Security Misconfiguration
      references:
        - https://cwe.mitre.org/data/definitions/250.html
        - https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    languages:
      - dockerfile
    severity: WARNING

Examples

no-sudo-in-dockerfile.dockerfile

# Use an official Ubuntu 20.04 as base image
FROM ubuntu:20.04

ENV DEBIAN_FRONTEND noninteractive

# ok: no-sudo-in-dockerfile
RUN apt-get update && apt-get upgrade -y

# ok: no-sudo-in-dockerfile
RUN apt-get install -y sudo

RUN useradd -ms /bin/bash newuser

RUN echo "newuser ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers

USER newuser

# ruleid: no-sudo-in-dockerfile
RUN sudo apt-get install -y curl

CMD ["echo", "Hello, Docker!"]

Short Link: https://sg.run/80Q7